Two professors teaching a cyberwarfare course sought to teach creative thinking. Their method? An impossible test with the idea that students must cheat â and that not getting caught cheating was what the test was actually about.
In other words, they stole the concept of Kobayashi Maru.
Why? The introduction to their paper sums it up:
âAdversaries cheat. We donât. In academic institutions around the world, students understand that they will be expelled if they violate their collegeâs honor code or otherwise fail to play by the institutional rules. The dissonance between how our adversaries operate and how we teach our students puts our students at a distinct disadvantage when faced with real world adversaries who inevitably do not play by the rules. Breaking through the paradigm where students self- censor their ways of thinking to a new paradigm that cultivates an effective adversary mindset is both necessary and possible.â
The paper itself details the methods and manner each student used. And in each case the student exploited a loophole in the teacherâs rule set.
Sometimes the phrase âRed Teamâ or âRed Cellâ is used to describe those who are designated to exploit our potential weaknesses. I prefer the term âDevilâs Advocateâ â the Catholic concept of bringing evidence against canonization of a Saint. Why? Because the Devilâs Advocate canât just say âwell, what if?â. The Devilâs Advocate must make his case. He must be able to actualize his contention.Too many Red Teams just say âwhat ifâ and walk away. Their concept or challenge must not be realistic, achievable, or anything other than a wrench in the machine, and that is not creative thinking â itâs is disruptive, destructive, and dangerous because it does nothing but cause trouble. It does not seek to exploit or identify a loophole.
The paperâs conclusionâŚ
âTeach yourself and your students to cheat. Weâve always been taught to color inside the lines, stick to the rules, and never, ever, cheat. In seeking cyber security, we must drop that mindset. It is difficult to defeat a creative and determined adversary who must find only a single flaw among myriad defensive measures to be successful. We must not tie our hands, and our intellects, at the same time. If we truly wish to create the best possible information security professionals, being able to think like an adversary is an essential skill. Cheating exercises provide long term remembrance, teach students how to effectively evaluate a system, and motivate them to think imaginatively. Cheating will challenge studentsâ assumptions about security and the trust models they envision. Some will find the process uncomfortable. That is OK and by design. For it is only by learning the thought processes of our adversaries that we can hope to unleash the creative thinking needed to build the best secure systems, become effective at red teaming and penetration testing, defend against attacks, and conduct ethical hacking activities.â
The final kicker? This was done at the US Military AcademyâŚ
As a military we prize conformity. And that conformity in the main is a good thing. But we also need people who are capable of thinking â and actualizing â âwhat ifâ. What if we loaded up our carriers with airplanes and launched from maximum range on a Sunday morning? What if we hijacked and piloted fuel laden commercial jets into office buildings? What if we designed a computer virus geared to do one thing and one thing only? What if we use runners for messages and small speedboats to attack the carriers?
Not âWhat if someone took over a LNG tanker and blew it upâ without describing the how, what, why, and physics behind it.
The paper is a quick read. Take a look. Then think about how you can teach your people to think creatively for the betterment of the next operation, next mission, next maintenance, next training. But make them do so in a manner that is achievable. Make them âcheatâ â and not get caught.
(h/t Bruce Schneier)
- Join Us for the Midrats’ 250th! 19 October 14 at 5pm (EDT)
- Building to Strength
- On Midrats 5 Oct 14 – Episode 248: “Anti-Access Area-Denial (A2AD) with Sam Tangredi”
- The Virtue of Being a Generalist, Part 3: Viper and the Pitfalls of âGood Enoughâ
- Midrats 21 Sept 14 – Episode 246: “When the short snappy war goes long, with Chris Dougherty”